Off-by-none: Issue #13

Live from AWS re:Invent…

Welcome to Issue #13 of Off-by-none. We’re coming to you LIVE from AWS re:Invent in Las Vegas!

Last week we looked at some clever use cases for Step Functions, revisited serverless microservices, and made the serverless case for startups. This week we rethink serverless+RDBMS, challenge the objections of laggards, protect ourselves from DoS and other attacks, and of course, look at some new AWS product launches.

So many amazing things to get to today, so let’s jump right in!

When you’re not sure if RDBMS and serverless mix… ☯

Many of us wished for RDS HTTP Endpoints, and the other day, AWS announced that you can now access your Amazon Aurora Serverless Database with the New Data API (Beta). No VPCs, no connection management, and automatic scaling with Aurora Serverless. Almost sounds too good to be true. 😳

And… it sort of is (for now). In Aurora Serverless Data API: A First Look, I share the results of a few experiments I ran as well as some of my initial thoughts on the implementation. TLDR; The latency is really bad and this isn’t ready for primetime. But like all things AWS, it’ll get much better before GA.

Is RDBMS in serverless applications even a good idea? Paul Johnston shares his thoughts on Serverless and Data Rigidity and argues that other technologies (like NoSQL) have removed the need for them. He’s not wrong, but there are still plenty of use cases that relational databases work well for. One thing we can definitely agree on: AVOID ORMs! 🙌

When you’re looking for some serverless inspiration… 💡

Serverless, Inc. is wrapping up #NoServerNovember with the re:Invent serverless virtual hackathon. Build a serverless app for a non-profit, feel good about yourself, and win some swag.

If you want to get a bit more complex, try building a chat application using AWS AppSync and Serverless.

Are you writing your code in Python? AWS SAM CLI just introduced the sam build Command that lets you easily package all your dependencies. Or you can learn How To Package External Code In AWS Lambda Using the Serverless Framework.

What to do when your boss won’t let you play with serverless… 👨🏻‍💻

James Beswick outlines five common objections to adopting serverless in his new post, Scared Serverless — How do you handle opposition from your IT group? Lots of ammunition in here if you find yourself needing to defend your (very wise) decision.

If they’re still not convinced, maybe this Twitter thread will help. Simon Wardley says, “The overwhelming output of most businesses is waste. Serverless is way larger than you think. More significant than cloud was.” It’s definitely worth the read (plus there’s maps).

When you realize you’re still responsible for securing your serverless application… 🔒

Avi Shulman from PureSec wrote a great post on Lambda DoS Mitigation Strategies. See how different invocation types and retry policies can be leveraged by attackers to wreak havoc on your serverless applications. Lots of practical tips in here including a number of best practices and tips to minimize your exposure.

Want to add even more security to your serverless app? Amazon API Gateway has added support for AWS WAF, which means no more creating regional endpoints and using your own CloudFront distribution. It still won’t prevent event injection, but it’s a good start.

And just when you think that npm audit will protect you from third-party package vulnerabilities, we discover another widely used open source software that contained a bitcoin-stealing backdoor. Luckily it only has 2 million weekly downloads. 🤦🏻‍♂️ A friendly reminder to minimize dependencies in your serverless applications.

What to expect when 50,000 AWS fans in Vegas are waiting for more product updates… 🚀

There’s only been one full day of re:Invent and AWS has already announced a number of products and services that are pushing serverless to a whole new level. I’ve heard a lot of whispers, so expect many more to come over the next few days. 🤘🏻

Serverless Star of the Week ⭐️

There is a very long list of people that are doing #ServerlessGood and contributing to the Serverless community. These people deserve recognition for their efforts. So each week, I will mention someone whose recent contribution really stood out to me. I love meeting new people, so if you know someone who deserves recognition, please let me know.

This week’s star is Chris Munns (@chrismunns). Chris is a Principal Developer Advocate for Serverless at Amazon Web Services and a great resource for anyone working with (or interested in) serverless. He’s a regular speaker at events, an AWS blog contributor, a host on Serverless Bytes, and he also puts on the occasional webinar. Even though he works for AWS, he’s a huge advocate for serverless computing in general and will always jump into a good debate on Twitter. This week he’s not only giving a number of talks at re:Invent, but also finding some time to spend with members of the serverless community.

Final Thoughts 🤔

The buzz around serverless at re:Invent is absolutely amazing. Every session I’ve attended so far has been bursting with people that are either already using it in production, or are hoping to start. I know we are in a bit of bubble here, but it’s clear that AWS is continuing to make massive investments in serverless technologies and wants to continue to be the market leader. Exciting times ahead.

I hope you’ve enjoyed this issue of Off-by-none. Your feedback and suggestions are always welcome and much appreciated. It helps me make this newsletter better each week. Please feel free to contact me via Twitter, LinkedIn, Facebook, or email and let me know your thoughts, criticisms, and if you’d like to contribute to Off-by-none.

Go build some amazing serverless apps and enjoy the rest of re:Invent! ⚡️

I’ll be here all week😉
Jeremy

P.S. If you liked this newsletter, please share with your friends and coworkers. I’d really appreciate it. Thanks!

Serverless Security: Locking Down Your Apps with FunctionShield

I’ve written quite extensively about serverless security, and while you don’t need to be an expert on the matter, there are a number of common sense principles that every developer should know. Serverless infrastructures (specifically FaaS and managed services) certainly benefit from an increased security posture given that the cloud provider is handling things like software patching, network security, and to some extent, even DDoS mitigation. But at the end of the day, your application is only as secure as its weakest link, and with serverless, that pretty much always comes down to application layer security.

In this post we’re going to look at ways to mitigate some of these application layer security issues by using some simple strategies as well as a free tool called FunctionShield.

Audio Version:

Continue Reading…

5 Reasons Why Your Serverless Application Might Be A Security Risk

There has been a lot of buzz lately about serverless security. People are certainly talking about it more and sharing great articles on the topic, but many serverless developers (especially new ones) are still making the same critical mistakes. Every time a serverless function is deployed, its unique security challenges need to be addressed. Every time. I’ve researched and written extensively about serverless security (see Securing Serverless: A Newbie’s Guide). I’ve read countless articles on the subject. And while there is no shortage of information available, let’s be honest: developers are busy building applications, not pouring through hundreds of articles.

I know, it sounds boring, but I would encourage you to do your research on serverless security. Serverless applications are different than traditional, server-hosted applications. Much of the security responsibility falls on the developer, and not following best practices opens you (or your company) up to an attack. But I know you’re busy. I totally get it. So rather than forcing you to read a bunch of long articles 😴 or watch a plethora of videos 🙈, I’ve whittled it all down to the five biggest serverless security risks for you. Sure, there are a lot of other things to consider, but IMO, these are the most important ones. Nothing here hasn’t been said before. But If you do nothing more than follow these principles, your serverless applications will be much more secure. 🔒

Continue Reading…

Event Injection: A New Serverless Attack Vector

As more and more developers and companies adopt serverless architecture, the likelihood of hackers exploiting these applications increases dramatically. The shared security model of cloud providers extends much further with serverless offerings, but application security is still the developer’s responsibility. There has been a lot of hype about #NoOPS with serverless environments 🤥, which is simply not true 😡. Many traditional applications are frontended with WAFs (web application firewalls), RASPs (runtime application self-protection), EPPs (endpoint protection platforms) and WSGs (web security gateways) that inspect incoming and outgoing traffic. These extra layers of protection can save developers from themselves when making common programming mistakes that would otherwise leave their applications vulnerable. With serverless, these all go away. 😳

Continue Reading…

10 Things You Need To Know When Building Serverless Applications

I am a HUGE fan of serverless architectures. This new type of compute not only opens up more possibilities for developers, but can support highly-scalable, complex applications for a fraction of the cost compared to provisioning virtual servers. My first question when planning a new application is always, “Can I build this with serverless?” Spoiler alert, the answer is almost always YES!

I’ve been building serverless applications since the release of AWS Lambda in 2015, so answering the question above is pretty easy for me. However, a lot of people I talk to who are new to serverless often have many questions (and misconceptions). I want you to be successful, so below I’ve create a list of 10 things you need to know when building a serverless application. These are things I wish I knew when I started, so hopefully they’ll help you get up to speed a faster and start building some amazing applications.

Continue Reading…

Securing Serverless: A Newbie’s Guide

So you’ve decided to build a serverless application. That’s awesome! May I be the first to welcome you to the future. 🤖 I bet you’ve done a lot of research. You’ve probably even deployed a few test functions to AWS Lambda or Google Cloud Functions and you’re ready to actually build something useful. You probably still have a bunch of unanswered questions, and that’s cool. We can still build some really great applications even if we only know the basics. However, when we start working with new things we typically make a bunch of dumb mistakes. While some are relatively innocuous, security mistakes can cause some serious damage.

I’ve been working with serverless applications since AWS launched Lambda in early 2015. Over the last few years I’ve developed many serverless applications covering a wide range of use cases. The most important thing I’ve learned: SECURE YOUR FUNCTIONS! I can tell you from personal experience, getting burned by an attack is no bueno. I’d hate to see it happen to you. 😢

To make sure it doesn’t happen to you, I’ve put together a list of 🔒Serverless Security Best Practices. This is not a comprehensive list, but it covers the things you ABSOLUTELY must do. I also give you some more things to think about as you continue on your serverless journey. 🚀

Continue Reading…

How To: Access Your AWS VPC-based Elasticsearch Cluster Locally

AWS recently announced that their Elasticsearch Service now supports VPC, which is awesome, for a number of reasons:

1. No more signing every request

Remember this?

Every request had to be signed with AWS’s SigV4 so that the Elasticsearch endpoint could be properly authorized. That meant additional code to sign all your requests, and additional time for the endpoint to decode it. It might only be a few milliseconds of extra processing time, but those can add up. Now we can call our VPC Elasticsearch endpoint with a simple HTTP request.

Continue Reading…